We're having a setup where our server, running a symfony2 application, is inside the client's network.
Is there a way to allow only the /api* path to be accessed from an external network (=the internet).
I'm assuming the best approach is by configuring nginx but i can only find blocking all or no url.
Try this:
location /api/ {
# Deny private IPv4 address spaces
deny 10.0.0.0/8;
deny 172.16.0.0/12;
deny 192.168.0.0/16;
allow all;
}
See http://wiki.nginx.org/HttpAccessModule for more information.
Related
I am managing a subdomain using nginx conf files. I am able to get a working subdomain up, and deny access to it (resulting in 403) by including deny all;. However, when I try to add allow 1.2.3.4; (not posting my real IP address) right above it (this is where I understand you have to put it to allow access to your own IP address), I am still getting 403 when I try to access the subdomain on my browser (in firefox private mode). I got my IP address through https://www.whatismyip.com/, and I am using the one given under "My Public IPv4 is: ". Is this the correct IP address I should be using? If not how should I go about finding the right IP address to allow?
Maybe this will help if you want to access your resource via nginx locally. You should put it in the root block of a subdomain.
allow 127.0.0.1;
deny all;
I am trying to configure Digest Auth in nginx, I am using the unoffical module for that, NGINX Digest module, and for the most part I can get it to work just fine, I am able to lock down an endpoint, unless it's a GET, here is my location config.
location /config {
proxy_pass http://internal_config_service/config;
limit_except GET {
auth_digest "peek a boo";
}
}
However, I have a scenario, where I to allow localhost unchallenged, and I'm not really finding a great way to do that.
Things I've explored, I've tried allow 127.0.0.1; I've even looked into trying to do something with if and checking $host is local, and not adding the digest directives, but I don't think that's even possible, because my understanding is config is pretty static.
The one solution I can think of that might work, but requires a fair amount of work, and extra confusion to someone new, is to basically create 2 servers, one that is accessible by localhost only, and allows localhost through unchallenged, and cannot be accessed externally. And then a 2nd server that is publicly accessible and is locked down with digest.
I'm hoping for a better solution, but I am still kind of learning the intricacies of NGINX as I go, but not optimistic of a better solution.
you can use the satisfy directive:
http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy
The problem: I dont know if the auth_digest (unofficial module) will be part auf the Auth-Face in the NGINX request processing. But, if this is the case you can make use of auth_request in addition. But give this a try:
...
location /authreq {
satisfy any;
allow 127.0.0.1;
deny all;
auth_digest "something";
# If auth_digest is not working try
auth_request /_authdigest;
}
location = /_authdigest {
internal;
auth_digest "something";
}
Update to your question regarding allow 127.0.0.1; deny all
This will NOT block all other clients / traffic. Its telling NGINX in combination with satisfy any that if the IP is not 127.0.0.1 any other auth function (auth_basic, auth_jwt, auth_request) has to be successfull to let the request pass. In my demo: If I am not send a request to localhost I will have to go through the auth_request location. If the auth_request is something like 200 it satisfies my configuration and I am allowed to be connected to the proxy upstream.
I have build a little njs script disabling the auth_digest for the user and authenticating the proxy request against an digest auth protected backend. But thats not what you need, isnt't it?
If you want to split up the configuration one for localhost and the other one for the public ip your server configuration could look like this:
server {
listen 127.0.0.1:80;
## do localhost configuration here
}
server {
listen 80;
## apply configuration for the IP of nic eth0 (for example) here.
}
I just migrated my Drupal 8 site from an Apache server to Nginx.
I applied the configuration below :
https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
I do not understand what this block is for. Should I enter the IP address of my server instead of this one ?
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
The rule will only be useful if you have .txt or .log files in a directory accessible through the web server.
If that is the case, for security reasons, you should list all ip addresses that can access those files. All other addresses will be banned.
However, it is very unlikely that you want to serve log files via http, so you could just deny all.
More information in the nginx docs:
http://nginx.org/en/docs/http/ngx_http_access_module.html
I'm looking for a solution to prevent hot-linking with NGINX for JWPlayer. Say I have a NGINX server configured as a reverse proxy at http://mydomain1.com, I'll get the url http://mydomain1.com/file.mp4 to put on my website hosted on another VPS at http://mydomain2.com. How do I restrict the file so it can be played on http://mydomain2.com only and nowhere else?
I tried allow & deny directives but then I realized this is a HTML5 streaming so the directives will block the stream to users.
On nginx of mydomain1.com. Make sure you have one additional block which listens to default host and deny all traffic. Then in the existing listen block we add a rule to allow only www.mydomain2.com
map $http_referer $not_allowed {
default 0;
"~www.mydomain2.com" 1;
}
server {
listen 80 default_server;
server_name _;
deny all;
}
server {
listen 80;
server_name www.mydomain1.com
location / {
if ($not_allowed)
{
return 404 "Not sure its there";
}
}
}
Because the mp4 url will be put in a HTML5 player, this means the remote address (user's machine) will always communicate directly with the reverse proxy. So that's impossible to restrict the access using other methods except nginx secure link module. With this module I'm now able to restrict the access basing on the user's ip, expiration time, url and a secret word.
I have alot of domain names. configured as virtual hosts in nginx. They all have same document root. I want to restrict access to huge amount of different ip. Is there any way to do it in highest level then virtual hosts configuration? For example in main http{} block.
Yes you can use ngx_http_geo_module to block certain IPs from accessing your virtual hosts. This module helps you create variables with values based on client IP address. You can define the IPs at http level. Here is an example.
http {
geo $spamers {
# --allow all --
default no;
#-- block these bad ips --
192.0.171.118 spam;
192.0.179.119 spam;
192.0.179.120 spam;
192.128.168.0/20 spam;
}
You can add as many IPs you want and then in the location blocks of the servers that you want to restrict these IPs you can add a check
location ~* /mysite/www/ {
if ( $spamers = spam ) {
# -- Return a forbidden message
return 403;
}